[ISO/IEC 27001] - (Requirement 4.3) - Determining the scope of ISMS - Part 05

After covering requirements 5.1, 4.1 e 4.2, now is time to discuss requirement 4.3 "Determining the scope of ISMS":

The requirement says that:

But what does this mean?

To determine the scope, we need to consider internal and external issues, the need and expectations of interested parties and all interfaces and dependencies between the activities performed by the organization and those carried out by other organizations.

As a requirement obligation, the scope must be avaliable as a documented information. So, to properly document the scope, we need to consolidate everything that we saw into a single document.

We are going to use a template, which is divided into five sections:

You will see that many sections and subsections we already covered in Requirement 4.1 e Requirement 4.2. Therefore, it is only necessary to document each part in its corresponding section/subsection:

We have some sections that were not covered before, see the reasons:

• Subsection 2.4: since the beginning of the series, we have made it clear that our fictional tourism agency is offering a service not a product, therefore, this subsection can be disregarded;

• Subsection 2.7: we will have an article on this series related to objetives and policy, which is why i didn't cover it at this moment;

• Subsection 3.3: since ISO is not prescriptive, in my opinion i would add this section only on Risk Analysis Methodology but of course, you can decide.

  
  

Now about Section 5,I belive that could be moved to the beginning of the document, together with the introduction. After all, the entire document is related to the scope and would introduce the other sections.

This way, in the end, we would have our scope documented. And you can be sure that this is one of the most important ISMS documents. An Auditor, wether in an Internal Audit or Certification will ask for this document. It serves as a guide for them.

Next article will be about Requirement 5.2 Policy. =)